From 4afbf7479829a464728555cda077979c0a7efb2b Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Mon, 29 Mar 2021 14:31:32 -0700 Subject: [PATCH] Fix Bandit check Bandit has started to fail on master. >> Issue: [B701:jinja2_autoescape_false] Using jinja2 templates with autoescape=False is dangerous and can lead to XSS. Ensure autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities. Severity: High Confidence: Medium Location: ironic/common/utils.py:491 More Info: https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html 489 # NOTE(pas-ha) not using default_for_string=False as we set the name 490 # of the template above for strings too. 491 env = jinja2.Environment( 492 loader=loader, 493 autoescape=jinja2.select_autoescape(), 494 undefined=jinja2.StrictUndefined if strict else jinja2.Undefined 495 ) It appears that Arun changed this around a little in https://review.opendev.org/c/openstack/ironic/+/777448/10/ironic/common/utils.py however this doesn't seem to pass reliably. As such, I'm returning the notation of the label to the first line as it was before, which seems to consistently pass bandit checking. Change-Id: I7f5b7323b108b303b5b77609d5903128d4adca3c --- ironic/common/utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ironic/common/utils.py b/ironic/common/utils.py index 390fe03055..a257531069 100644 --- a/ironic/common/utils.py +++ b/ironic/common/utils.py @@ -488,9 +488,9 @@ def render_template(template, params, is_file=True, strict=False): # and still complains with B701 for that line # NOTE(pas-ha) not using default_for_string=False as we set the name # of the template above for strings too. - env = jinja2.Environment( + env = jinja2.Environment( # nosec B701 loader=loader, - autoescape=jinja2.select_autoescape(), # nosec B701 + autoescape=jinja2.select_autoescape(), undefined=jinja2.StrictUndefined if strict else jinja2.Undefined ) tmpl = env.get_template(tmpl_name)